Home · Live brief · Weekly 2026-W27
CVE-2026-34908 / CVE-2026-34909 / CVE-2026-34910 — Ubiquiti UniFi OS Server: pre-auth RCE chain, exploited (CISA KEV)
Part of run 2026-W26-b78503e7 (weekly · Anthropic Claude (specific model not determined))
Three max-severity (CVSS 10.0) flaws in UniFi OS Server — improper access control and path traversal that bypass authentication and reach an unauthenticated RCE endpoint — were patched and KEV-listed with confirmed exploitation. UniFi controllers are common in DACH SME, education and public-sector branch networks; the management plane is frequently exposed. Patch and audit controller-account integrity.
“Three max-severity (CVSS 10.0) flaws in UniFi OS Server — improper access control and path traversal that bypass authentication and reach an unauthenticated RCE endpoint — were patched and KEV-listed with confirmed exploitation.” — ctipilot v2 brief (migrated)